Browser local storage
Passwork allows saving the master key in the browser to avoid entering the master password on each login. Local Storage Secret Code — a server-generated token — is used for protection.
Important
The saved master key is protected by a token that is only issued upon successful basic authentication. Without account access, it is impossible to decrypt data from localStorage.
Local Storage Secret Code
What it is
Local Storage Secret Code is a random token that:
- Is generated by the server when a user is created
- Is issued to the client after successful authentication
- Is used to encrypt the master key in localStorage
Characteristics
| Parameter | Web application | Browser extension |
|---|---|---|
| Length | 100 characters | 60 characters |
| Alphabet | A-Z, a-z, 0-9 | A-Z, a-z, 0-9 |
| Entropy | ~596 bits | ~357 bits |
| Generation | On server | On server |
| Token storage | On server | On server |
Lifecycle
- Creation — when user is registered, server generates Secret Code
- Issuance — with each successful authentication, server sends Secret Code to client
- Usage — client encrypts master key and saves to localStorage
- Rotation — Secret Code can be regenerated by administrator
Master key saving process
Saving sequence:
- User enables "Remember master password" option
- User enters master password
- Client computes master key (PBKDF2, 300,000 iterations, SHA-256)
- Client sends master key hash to server for verification
- Server confirms correctness and returns Local Storage Secret Code
- Client encrypts master key with Secret Code (AES-256-CBC)
- Encrypted master key is saved to localStorage
- Secret Code is not saved to localStorage
Encryption algorithm
| Parameter | Value |
|---|---|
| Algorithm | AES-256-CBC |
| Padding | PKCS#7 |
| Key | Local Storage Secret Code (100 characters → 256 bits) |
| IV | Automatically generated (128 bits) |
What is saved in localStorage
| Data | Format | Protection |
|---|---|---|
| Encrypted master key | Base64 string | AES-256-CBC |
| User ID | String | — |
| Application settings | JSON | — |
What is NOT saved
- Master password (never)
- Local Storage Secret Code (issued with each authentication)
- Unencrypted master key
- Private RSA key
Master key recovery process
Automatic login sequence:
- User opens the application
- Client checks for encrypted master key in localStorage
- If key exists — client remembers it for subsequent decryption
- User completes basic authentication (login/password)
- Server verifies credentials
- Server returns access tokens and Local Storage Secret Code
- Client decrypts master key with Secret Code (AES-256-CBC)
- Master key is recovered — master password entry not required
Automatic login conditions
Automatic master key recovery is possible if:
| Condition | Description |
|---|---|
| Key presence | localStorage contains encrypted master key |
| Authentication | User completed basic authentication |
| Valid Secret Code | Server returned correct Secret Code |
| Successful decryption | Data is not corrupted |
Security model
Threat protection
| Threat | Protection |
|---|---|
| localStorage theft | Data is encrypted, encryption key is on server |
| XSS attack | Secret Code is not stored on client |
| Session theft | Basic authentication required |
| Physical device access | Account password required |
Key principle
Without successful server authentication, decrypting the master key is impossible.
Even if an attacker:
- Gains access to localStorage
- Extracts the encrypted master key
- Gains access to the device filesystem
They cannot decrypt the data without:
- Account password (or SSO/LDAP access)
- Successful server authentication
- Obtaining Secret Code from server
Limitations
| Scenario | Risk |
|---|---|
| Shared device | Another user may gain access after their authentication |
| Browser sync | Encrypted key syncs between devices |
| Server compromise | Attacker could obtain Secret Code |
Managing saved data
Disabling the feature
User can:
- Uncheck "Remember master password" in settings
- Data will be deleted from localStorage
Forced reset
Administrator can:
- Regenerate user's Secret Code
- All saved master keys become invalid
- User will need to enter master password again
Logout
On logout:
- Session tokens are deleted
- Encrypted master key may remain in localStorage (for next login)
- User can optionally choose "Logout and forget"
Security recommendations
When to use "Remember"
Recommended:
- On personal device with password/biometrics
- For daily Passwork use
- When convenience matters and device is protected
Not recommended:
- On shared/public devices
- With strict security requirements
- If device may be lost/stolen
Organizational policies
Administrator can:
- Disable "Remember" feature at policy level
- Limit saved key validity period
- Require periodic master password re-entry
Memory protection
In-memory obfuscation
Besides localStorage encryption, Passwork uses a mechanism to protect passwords in browser memory:
| Method | Description |
|---|---|
| Splitting | Password is split into random parts |
| Obfuscation | Each part is obfuscated (character shifting) |
| Shuffling | Parts are stored in random order |
| Recovery | Recovery order is stored separately |
Limitation
This is obfuscation, not cryptographic protection. It hinders simple memory reading (e.g., in dumps) but doesn't protect against targeted attacks with a debugger.
Browser extension differences
Browser extension has implementation differences:
| Parameter | Web application | Extension |
|---|---|---|
| Secret Code length | 100 characters (~596 bits) | 60 characters (~357 bits) |
| Storage | localStorage | chrome.storage.local |
| Isolation | Shared domain | Isolated extension |
| XSS protection | Depends on CSP | Full isolation |
Extension advantages
- Isolated storage — inaccessible from web pages
- Separate execution context — protection from malicious scripts
- XSS protection — visited sites cannot access extension data